DDoS and Security Reports

The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.

Here’s some C&C information for you:

• Host: x.rofflewaffles.us
• Port: 8080

I’m not going to share passwords or any other specific information with you at this time. The malware on the bots has been updated as they join the channel. Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords).

Links around the net on this topic include:

• ATLAS Attack Report: Microsoft DNS DCE-RPC Exploit Attempt — I love it, this is why we built ATLAS!
• RPC DNS Worm
• First DNS Zero Day worm discovered
• News from Microsoft: DNS 0day being exploited in the wild
• RPC DNS Worm Spotted In The Wild
• Worm exploits Windows DNS hole
• Microsoft DNS Server Exploits Abound
• RPC DNS Worm in the Wild

Popularity: 1% [?]

This entry was posted on Tuesday, April 17th, 2007 at 10:38 am and is filed under Arbor Networks - DDoS Experts, Botnets, Exploit Code, Vulnerabilities, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.